Authorization Code Grant

Authorization Code Grant

March 30, 2024 | seedling, permanent

tags :

Grant Types or OAuth flow in OAuth2 #

Description #

  • Involves an extra step of exchanging an Authorization Code for an Access Token, adding a layer of Security.
  • Can be enhanced with PKCE (Proof Key for Code Exchange), where the client creates a code verifier and its hashed version, the code challenge, to protect against interception attacks.

Use Cases #

  • Web applications
  • Server-to-server communication
  • Suitable for public clients like mobile apps and single-page applications when used with PKCE.

Security #

  • Highly secure due to the extra authorization code exchange step.
  • PKCE adds an additional layer of security for public clients by ensuring that the access token is only granted to the authentic requesting client.

Implementing it in Identity Domain in OCI #

Get the domain URL #

append “oauth2/v1/authorize” to the URL #

https://domainurl:port/oauth2/v1/authorize

add query parameters #

  1. client_id
  2. response_type=token
  3. redirect_uri
  4. state (CSRF Forgeries)

enhance it with PKCE #

  1. state
  2. code_challenge
  3. cod_challengemethod

Scope #

scope=openid is needed because application needs to know who the user is.

  1. When a client application initiates the PKCE flow, it needs to specify that it wants to authenticate users and obtain identity-related information.
  2. The scope=openid indicates that the client application is interested in receiving OpenID Connect Claim or user attributes, such as user ID, name, email, etc.
  3. These claims are essential for identifying and verifying the user’s identity.

Example #

https://domain-url?client_id=xyz&response_type=code&scope=openid&redirect_uri=https://localhost:8001&code_challenge=xyz&code_challenge_method=S256&state=797335

Links to this note

Calendar March 30, 2024

Go to random page

Previous Next